Project

General

Profile

Actions

Feature #16171

closed

Support generic OpenID Connect login provider

Added by Tom Clegg almost 5 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
Login
Target version:
Start date:
06/01/2020
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
-
Release relationship:
Auto

Description

The current Google login implementation uses OpenID Connect, but it's hardwired to use the Google endpoint, and it uses the Google People API to look up alternate email addresses.

This feature adds config keys to specify an OpenID Connect endpoint as the login provider.

Clusters:
  zzzzz:
    Login:
      OpenIDConnect:
        Enable: true
        Issuer: https://accounts.example.com
        ClientID: aaaaaaaaaaa
        ClientSecret: zzzzzzzzzzzz

There's no user-facing chooser page: only one (Google or generic OIDC endpoint) can be configured at a time.

Implementation:
  • rename googleLoginController to oidcLoginController
  • use client ID/secret from whichever set of config keys (OpenIDConnect or Google) is in play
  • if using OIDC keys, don't attempt the Google People API lookup

Subtasks 1 (0 open1 closed)

Task #16461: Review 16171-oidc-configResolvedTom Clegg06/01/2020

Actions

Related issues 2 (0 open2 closed)

Related to Arvados Epics - Story #15322: Replace and delete sso-providerResolved03/11/202008/26/2020

Actions
Related to Arvados - Bug #17748: OIDC should read given name / family name fieldsResolvedNico César06/08/2021

Actions
Actions

Also available in: Atom PDF